Twitter and FTC Settle Over Privacy Breaches

In the FTC's first case against a social networking site, Twitter agreed to establish a security program that will be audited by another company. According to an FTC news release issued last week, Twitter "will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information."

Twitter also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.

The FTC argues that people who use social networking sites may choose to share some information, but they have a right to assume that their personal information is private and secure, according to David Vladeck, director of the FTC's Bureau of Consumer Protection.

"When a company promises consumers that their personal information is secure, it must live up to that promise," Vladeck wrote. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations."

The FTC case resolves around two security breaches that took place in January and April 2009. In the first case, a hacker used a password-guessing application to gain administrative control. According to the FTC, the cracked password was a lowercase, common dictionary word. After getting the password right, the hacker reset several passwords and posted some on another Web site.

Using those reset passwords, other people sent fake tweets from about nine user accounts, including the account of then-President-elect Barack Obama, offering his followers the opportunity to win $500 in free gasoline. At least one fraudulent tweet was sent from the account of Fox News.

During the second incident in April, a hacker gained access to a Twitter employee's personal e-mail account after guessing a password. The hacker found a password stored in plain text and used it as the basis to reset the password for at least one Twitter user. The hacker also had access to nonpublic user information and tweets, the FTC explained.

The April attack was carried out by a 23-year-old French-born hacker, who received a suspended sentence last week in a French court.

According to the FTC's complaint, Twitter failed to prevent unauthorized administrative control. The company needed to take a number of "reasonable steps" to ensure security, such as:

Using hard-to-guess administrative passwords that are not used for accessing "other programs, Web sites or networks";

Disabling administrative password access "after a reasonable number of unsuccessful login attempts"; and

In a blog post, Twitter's general counsel, Alexander Macgillivray, wrote that the breaches occurred when the company had fewer than 50 employees. "Put simply," he wrote, "we were the victim of an attack and user accounts were improperly accessed."

Macgillivray wrote that Twitter fixed the security hole and notified affected account holders within hours of the January incident. He also noted that Twitter published a blog alert on the same day.

In the April incident, he wrote that Twitter removed the hacker's administrative access in less than 18 minutes and notified affected users. They also posted a blog item about the incident within a few days.

Macgillivray indicated that the agreement with the FTC was not extreme. "Even before the agreement, we'd implemented many of the F.T.C.'s suggestions and the agreement formalizes our commitment to those security practices," he wrote.

According to the New York Times, Twitter distributed a fact sheet about the settlement and said of the FTC: "We think they saw it as an opportunity to make an example of us in the hopes of curtailing breaches -- including those many more serious than ours -- in our industry."

Forrester Research's Jonathan Penn speculated in a blog post about why the FTC got involved in the Twitter case. Most cases about privacy security breaches relate to laws protecting personally identifiable information (PII) and the Twitter incidents were not protected under PII laws.

"This isn't the kind of data breach that the FTC normally delves into," Penn wrote. "Oversight [at Twitter] must have appeared to the FTC to be so lax as to be in violation of Twitter's privacy policy -- that is the kind of thing that it would and does pursue. Of course, having someone crack into Barack Obama's account on your service is certainly going to raise the profile of the incident."

Penn suggested that expanding the breach liability scope is a growing trend. "Organizations should brace themselves and prepare for increased oversight and exposure to liability as it pertains to private (but not personally identifiable) information," he wrote.

The Electronic Privacy Information Center (EPIC) called the settlement a "significant enforcement action."